Dear gurus, I'm getting confused at this point about the KeyInfo and EncryptedKey. I have a XML to be encrypted by an AES session key then wrapped by RSA.
Which of the formats should I use or any other suggestions? Format 1 (certificate placed at 1st layer of KeyInfo, EncryptedData/KeyInfo/X509Data): <xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"; Type="http://www.w3.org/2001/04/xmlenc#Content";> <xenc:EncryptionMethod Algorithm=" http://www.w3.org/2001/04/xmlenc#aes256-cbc"; xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"/> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> <xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";> <xenc:EncryptionMethod Algorithm=" http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"; xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"/> <xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";> <xenc:CipherValue xmlns:xenc=" http://www.w3.org/2001/04/xmlenc#";>...</xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedKey> <ds:X509Data> <!--Cert for key-wrapping--> <ds:X509Certificate> MIIC... </ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> <xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";> <xenc:CipherValue xmlns:xenc="http://www.w3.org/2001/04/xmlenc# ">...</xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedData> Format 2 (certificate placed at under EncryptedData/EncryptedKey/KeyInfo/X509Data): <xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"; Type="http://www.w3.org/2001/04/xmlenc#Content";> <xenc:EncryptionMethod Algorithm=" http://www.w3.org/2001/04/xmlenc#aes256-cbc";></xenc:EncryptionMethod> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> <xenc:EncryptedKey> <xenc:EncryptionMethod Algorithm=" http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p";></xenc:EncryptionMethod> <ds:KeyInfo> <ds:X509Data> <!--Cert for key-wrapping--> <ds:X509Certificate> MIIC... </ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> <xenc:CipherData> <xenc:CipherValue>...</xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedKey> </ds:KeyInfo> <xenc:CipherData> <xenc:CipherValue>...</xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedData> Thanks in advance, Gary On Wed, Feb 18, 2009 at 10:51 PM, Sean Mullan <sean.mul...@sun.com> wrote: > Gary Tse wrote: > >> Dear gurus, >> >> I'm working with the Apache XML security 1.4.2 (Java version) and suspect >> a problem in the sample. >> >> This sample is supplied with the 1.4.2 package: >> >> <xml-security-1_4_2>/src_samples/org/apache/xml/security/samples/encryption/Encrypter.java >> >> The sample runs fine and produced this (and the key-encryption-key file >> kek): >> <apache:RootElement xmlns:apache="http://www.apache.org/ns/#app1";> >> <xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"; >> Type="http://www.w3.org/2001/04/xmlenc#Content";> >> <xenc:EncryptionMethod Algorithm=" >> http://www.w3.org/2001/04/xmlenc#aes128-cbc"; xmlns:xenc=" >> http://www.w3.org/2001/04/xmlenc#"/> >> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> >> <*xenc:EncryptedKey *xmlns:xenc=" >> http://www.w3.org/2001/04/xmlenc#";> >> <xenc:EncryptionMethod Algorithm=" >> http://www.w3.org/2001/04/xmlenc#kw-tripledes"; xmlns:xenc=" >> http://www.w3.org/2001/04/xmlenc#"/> >> <xenc:CipherData xmlns:xenc=" >> http://www.w3.org/2001/04/xmlenc#";> >> <xenc:CipherValue xmlns:xenc=" >> http://www.w3.org/2001/04/xmlenc# >> ">YD/20hNbr8wNAGCJRxg+IqQaJF2I+pahDknGvmVAC3I=</xenc:CipherValue> >> </xenc:CipherData> >> </*xenc:EncryptedKey*> >> </ds:KeyInfo> >> <xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";> >> <xenc:CipherValue xmlns:xenc=" >> http://www.w3.org/2001/04/xmlenc# >> ">mblZKJ25HspqQopvfwUELnbE1hqrKDt54N849eksaQBMZZ4FgWf+N4HYTyA87GLh0m+bZSt3JtlX >> >> >> GWmPx395ZyGVGEaz3Ic7LoBK+65DSjkmWqKGt1XHSuqpSOK3UKdB4skLqnv7Ji48tmpyHF513Q==</xenc:CipherValue> >> </xenc:CipherData> >> </xenc:EncryptedData> >> </apache:RootElement> >> >> >> In the XML encryption spec, link here: >> >> http://www.w3.org/TR/2002/REC-xmlenc-core-20021210/Overview.html#sec-Extensions-to-KeyInfo >> >> /"The |EncryptedData| or |EncryptedKey| element specify the associated >> keying material via a child of |ds:KeyInfo|. All of the child elements of >> ds:|KeyInfo| specified in [XML-DSIG < >> http://www.w3.org/TR/2002/REC-xmlenc-core-20021210/Overview.html#ref-XML-DSIG>] >> MAY be used as qualified: /" >> >> From the XML spec, does it mean that an extra <ds:KeyInfo> should be >> placed in the <xenc:EncryptedKey> element to provide information about the >> encrypted key? If so, sample code might need updating. >> > > It's not mandatory, but something to help identify the key would be useful, > for example: > > <xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";> > <ds:KeyInfo xmlns:ds='http://www.w3.org/2000/09/xmldsig#'> > <ds:KeyName>Key XXX</ds:KeyName> > </ds:KeyInfo> > ... > > Keep in mind these are just samples and you should modify or adapt them to > your specific requirements. > > Thanks, > Sean > > >
